CVEDB API

Vulnerabilities

By Date
Known Exploited
Advanced Search

Vulnerable Software

Vendors
Products

Dbashford: >> Textract >> 1.1.2 Security Vulnerabilities

CVE-2026-26831

textract through 2.5.0 is vulnerable to OS Command Injection via the file path parameter in multiple extractors. When processing files with malicious filenames, the filePath is passed directly to child_process.exec() in lib/extractors/doc.js, rtf.js, dxf.js, images.js, and lib/util.js with inadequate sanitization

CVSS Score

9.8

EPSS Score

0.004

Published

2026-03-25

Page 1

Vulnerabilities

Vulnerable Software

Dbashford: >> Textract >> 1.1.2 Security Vulnerabilities

Products

Pricing

Contact Us